Why do you care, as a DBA, or a Developer for that matter, about what is happening in the Transaction Log? Lets rollback a little and see... The raison d’être of a transaction log file is to write all the necessary information we need to recuperate any and all activity happening against the database. Every SQL Server database must have at least one log file. Here, have a brief look what it looks like inside the log file itself:

During the Spring of 2008, for an auditing project, our requirement was be able to read the active log files, as well as those that were archived. The archived logs gave us the option, with the help of third party tools (or thanks to in part the query above), to effectively interrogate the log file as if it were one mega table. The way that Lumigent Log Explorer's documentation describes it: 'to assist you in solving or recovering from problems that may occur in a typical database system' - gets the heart of what could be a potential point-in-time restore. Please use Full recovery model if this is your requirement, or if you are in doubt (thankfully it's a database model default setting) here are the many reasons why.

My view is that you may end up with a mystery transaction at one point that no logic can explain, and thus your database integrity is in question - not a place where any DBA wants to be naturally. Empowering yourself to dig into the log file and resolve these types of mysteries is the main point of this post, because you will be able to find out what the values were before/after a change to the database, and who/what application has committed the change, whereas before one typically disregards anomalies (at least I was most of the time before). This gives us motivation to ensure that log files are archived, since we're following Erasmus' proverb to 'leave no stone unturned,' with respect to resolving such mysteries.

Given that you can query the log file (you will see transactions as BEGIN_XACT , COMMIT_XACT, please see full reference list below), it is therefore possible to raise alerts for undesirable activity, e.g. someone executing data definition language in production. Combined with Database Mail and SQL Server Agent this can be automated too, or in the case of Lumigent Log Explorer, one can configure an alert for each DDL/DML command, which is perhaps useful - to filter out problems in development. The approach of monitoring objects during manipulation or creation will allow you to take control of an environment progressively and proactively. Here is how to query the log file or some typical unwanted incidents:

USE [master]
GO
ALTER DATABASE [DBname] SET RECOVERY SIMPLE WITH NO_WAIT
GO -- if you leave something in Simple, the rows after checkpoint
-- will be recycled, therefore I suggest FULL or at least Bulk_logged
USE [master]
GO
ALTER DATABASE [DBname] SET RECOVERY FULL WITH NO_WAIT
GO
-- if you need to clean up the space quickly for testing
USE [dbname]
GO
DBCC SHRINKFILE (N'DBname, 0, TRUNCATEONLY)
GO
-- truncate a table or perform undesireable activity, etc.

operation='mark_ddl'-- this will show rows where there is data definition language

-- operation='LOP_MODIFY_ROW' or operation='INSERT_ROWS' or operation='DELETE_ROWS'

-- operation='LOP_BEGIN_XACT' -- means beginning of a transaction

-- operation='LOP_COMMIT_XACT' -- means the end of a transaction

order

by [Current LSN] asc
-- for the above Mark_DDL you can create a job step that checks your critical
-- databases for undesireable activity and if there is an existence of a DDL change (use IF EXISTS with the above)

Internally to the SQL Server Log File you'll have an operation code that is captured by the log record. Here are the most common ones taken from a combination of Microsoft and Lumigent Log Explorer's help files.

§ABORT_XACT Indicates that a transaction was aborted and rolled back.

§BEGIN_CKPT A checkpoint has begun.

§BEGIN_XACT Indicates the start of a transaction.

§BUF_WRITE Writing to Buffer.

§COMMIT_XACT Indicates that a transaction has committed.

§CREATE_INDEX Creating an index.

§DELETE_ROWS Rows were deleted from a table.

§DELETE_SPLIT A page split has occurred. Rows have moved physically.

§DELTA_SYSINDSYSINDEXES table has been modified.

§DROP_INDEX Dropping an index.

§END_CKPT Checkpoint has finished.

§EXPUNGE_ROWS row physically expunged from a page, now free for new rows.